Obviously the issue is on the Spoke router. Without the config I won't be
able to tell what exactly is misconfigured. But I would check the
access-list first, and if you have NAT configured, check the route-map.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
PIX will support IPSec over UDP is ver 6.3
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Richard Deal
Sent: Wednesday, November 20, 2002 12:09 PM
To: [EMAIL PROTECTED]
Subject: Re: pix vpn [7:57740]
Ciaron,
You know, I've been
Try to block the login servers:
http://acronymsonline.com/im_ips.htm
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Josh Green
Sent: Monday, November 18, 2002 10:16 AM
To: [EMAIL PROTECTED]
Subject: RE: Block MSN Messenger [7:57595
Static translations with ports:
Example:
ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25
Make a search on ip nat inside source static tcp - you'll find quite a few
examples...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:nobody;groupstudy.com
, not source.
You use PIX for security - router for routing. Just connect a router to the
outside interface of the PIX and make it load balance, route based on
destination and so on..
--Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:nobody;groupstudy.com]On Behalf Of
[EMAIL
That is the normal behavior of the PIX. You'll not be able to change it...
If you want to test the connectivity through the PIX, do not ping the
outside interface of the PIX from the inside, but ping the default gateway
of the PIX.
-- Lidiya White
-Original Message-
From: [EMAIL
Just use static (inside, outside) 172.16.20.0 172.16.20.0 netmask
255.255.255.0
and then create conduits for the type of traffic you want to allow from the
outside to the inside.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Azhar Teza
it's on the router... Check 'nat on the stick' config examples. Traffic HAS
to go through a 'ip nat inside' and 'ip nat outside' interfaces to be
Natted. If it goes only through ip nat inside interface, Nat will not
happen...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED
, global, static, conduit, and access-list Commands and Port
Redirection on PIX
http://www.cisco.com/warp/public/707/28.html
Make sure that you understand how, when and why static command is used on
the PIX.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
The problem here is the source and destination are outside. Why? PIX can't
redirect traffic so even if conduit is allowing this traffic, PIX won't let
it through, unless it's src outside and dst is inside. You either routing
issue here or just something is misconfigured on the PIX.
Use wr term
with it. It has
quit a few new feature that are very useful.
6.3 code will not be available until 1st quarter 2003.
And of course no need to go into a monitor mode :-).
The OS upgrade on the PIX sounds pretty simple because it's just that
simple...
-- Lidiya White
-Original Message-
From
icmp command on the PIX allows/denies pinging interfaces of the PIX
itself. It has nothing to do with pining through the PIX...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, September 10, 2002 9:31 AM
The access-list is correct. There is something else that is going on.
Use debug icmp trace to troubleshoot...
How do you test this access-list? What are you trying to ping?
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Elijah Savage
on the same wire they have to be on the same
subnet. So you either have to reconfigure the server to have a private
ip address or use a router on the inside of the PIX. PIX doesn't support
secondary ip addresses.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
to pass traffic across of it.
There is something else is going on in his case and debugs didn't show
it. That's why I asked debugs from both ends at the same time...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Ciaron Gogarty
Sent
If you have only one public ip address and it is used on the outside
interface:
static (inside,outside) tcp interface 25 inside_ip 25 netmask
255.255.255.255
conduit permit tcp host outside_ip eq 25 any
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
Capture debugs on both ends at the same time. Should be more helpful.
Make sure both ends have isakmp identify address...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, July 30, 2002 4:05 PM
To: [EMAIL
.
Just pay no attention to them. Again, they have no functionality; they
do not allow or disallow anything...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 23, 2002 3:45 PM
To: [EMAIL PROTECTED]
Subject: Re: pix quick help [7
IP Security Through Network Address Translation Support
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/827/827rl
nts/820feat.htm
I think Linksys just has an option for a checkmark on IPSec through
NAT.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED
for...
It's not just in the theory. From my own experience, I had 3 VPN clients
that were behind Cisco 806, that was configured for PAT, simultaneously
connecting to the same PIX via VPN and pass traffic.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
terminate VPN tunnels on the VPN Concentrator or
the PIX.
If not, then you can use VPN Concentrator with IPSec over TCP option.
PIX doesn't support IPSec over TCP for now. PIX only listens on udp port
500.
-- Lidiya White
If so ... and if I had say ... 30 - 40 remote offices
I bet you were using IPSec over TCP. Then it really doesn't matter what
is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp.
Cisco 1600 is not IPSec aware (and don't have to be in your setup).
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
You can even use clear xlate local x.x.x.x, where x.x.x.x is the
private ip address of the host on the inside.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
fahim
Sent: Thursday, June 13, 2002 3:35 AM
To: [EMAIL PROTECTED]
Subject: Re
By the way, PDM 2.0.1 is deferred now. Wait for 2.0.2...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Roberts, Larry
Sent: Thursday, June 13, 2002 10:16 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX 6.2 [7:46454]
No, but 6.2(1
Try 12.2.8T. Main code line doesn't support WIN-1ENET=
http://www.cisco.com/cgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
JohnZ
Sent: Thursday, June 13, 2002 12:57 PM
To: [EMAIL
It'll reboot I believe every 24 hours.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Sam Wong
Sent: Friday, June 07, 2002 11:57 PM
To: [EMAIL PROTECTED]
Subject: PIX 515 FO license [7:46075]
I've seen some PIX 515s on eBay lately
icmp any any echo-reply.
Before you try to FTP, try to telnet on port 21. What is the default
gateway of the FTP server? Enable logging buffer info and check sh
log for the build or teardown messages for the FTP server's ip
address..
-- Lidiya White
-Original Message-
From
VPN 1.1 client - yes (it's ire client).
VPN Unity client (3.x) - no. It's using xauth.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
fahim
Sent: Monday, May 27, 2002 8:40 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client software
translation) for a protocol that
doesn't have ports?
Let's say Cisco VPN Concentrators has a feature like IPSec over UPD or
TCP. What is does is encapsulates esp in udp or tcp.
So the answer to your question depends on can your VPN client and VPN
device support IPSec over tcp or udp?
-- Lidiya White
Check the default gateway of your PC.
Enable debug icmp trace on the PIX to troubleshoot...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Jablonski, Michael
Sent: Wednesday, May 22, 2002 3:42 PM
To: [EMAIL PROTECTED]
Subject: PIX 515E
example above, you have only One public ip address assigned to the
outside interface and do a PAT and static nat for your servers...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Andy Barkl
Sent: Sunday, May 12, 2002 7:47 PM
To: [EMAIL
secure. As far as decreased security for the LAN behind the PIX,
again, I don't see a major hole there.
As far as Microsoft client goes, it doesn't have as strong encryption as
Cisco client does.
Example:
http://www.cisco.com/warp/public/110/pix3000.html
(search for split).
-- Lidiya White
at the end:
isakmp key address 0.0.0.0 netmask 0.0.0.0 no-xauth
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/c
ommands.htm#xtocid185911
Clear the tunnel and it should work like a charm :-).
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto
Starting with 5.0 version access-lists were introduces for the PIX
Firewall. All codes do support conduits.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
x
Sent: Wednesday, April 10, 2002 1:46 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX
I didn't see a clear explanation regarding this icmp behavior on the PIX
on CCO. But I do know for sure that there is not workaround for this. I
guess you can just call it a security feature :-).
-- Lidiya White
-Original Message-
From: dk [mailto:[EMAIL PROTECTED]]
Sent: Wednesday
You'll never be able to ping interface of the PIX that is not directly
connected to you (like in your case). Not access-list, not icmp commands
can enable that 'feature'.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
dk
Sent
There may be another problem with the Scenario 3:
How R1 int0 will talk to R2 int1 if they are on the same subnet? Are you
going to bridge ip traffic?
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 07, 2002 9:20 PM
To: [EMAIL
In Scenario 2, how many segments are there?
Is there anything wrong with routing router 1 to router 2 and not
using a
common segment?
I just won't work, unless you'll use secondary ip addresses.
-- Lidiya White
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40772t=40766
192.168.2.13
You want that ip address of the inside interface will look like outside
router???
I would use clear static and clear xlate...
You'll never be able to ping 192.168.2.14 ip from the 216.6.24.130 host,
but you should be able to ping .13.
-- Lidiya White
-Original Message-
From
fixup protocol for any port you want.
I'll attach document that describes all fixup protocols.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Joseph Rago
Sent: Friday, April 05, 2002 7:10 AM
To: [EMAIL PROTECTED]
Subject: RE: FIXUP
My attachment (.doc file) didn't go through. It's 8-page document. If
anybody interested, please reply to me directly...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Lidiya White
Sent: Friday, April 05, 2002 7:25 PM
To: [EMAIL
Cisco TFTP server is still a freeware:
http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Dave W.
Sent: Thursday, April 04, 2002 12:38 AM
To: [EMAIL PROTECTED]
Subject: Re: tftp [7:40403
had one issue another day where PIX was dropping SYN ACK packets, and
there only way we found the problem is using the sniffer (SYN packet was
apparently bypassing the PIX, when everybody swore that it could not).
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
You'll never be able to ping outside ip address of the PIX from the
inside, but you should be able to ping outside router.
I think the rest of the questions were already answered...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Avi
any host 205.11.22.9 eq 80
Port Redirection with Statics
http://www.cisco.com/warp/public/707/28.html#port
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
John Green
Sent: Monday, April 01, 2002 10:58 AM
To: [EMAIL PROTECTED]
Subject
sa.
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Joseph Carr
Sent: Monday, April 01, 2002 12:00 PM
To: [EMAIL PROTECTED]
Subject: VPN issues [7:40064]
Well, I am having some trouble with VPN sessions getting
disconnected. I have
is connection based act key.
Activation keys are cut based on the serial number of the PIX Firewall,
so if you'll be upgrading OS code, you don't need a new act key. But If
you'll be replacing your PIX Firewall, you'll need to request a new
activation key...
--- Lidiya White
-Original Message
I would add no ip route-cache on that interface and make sure that you
don't have logging synchronous under line con 0...
-- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Pierre-Alex Guanel
Sent: Saturday, March 30, 2002 3:04 PM
for peers.
--- Lidiya White
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, March 28, 2002 7:43 AM
To: [EMAIL PROTECTED]
Subject: Crypto Map in Loopback interface [7:39744]
Hi All,
Can I apply a crypto map to loopback
.
-- Lidiya White
-Original Message-
From: george gittins [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 10:39 AM
To: Lidiya White
Subject: RE: pix and e-mail problem [7:39643]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Lidiya White
Mailguard on the PIX is fixup. If you do have fixup protocol for mail,
remove this.
It is well know issue with Microsoft for the TAC :-)))
I do have article from Microsoft about this, If you would like I can
e-mail it to your later (I have it in bookmarks on another computer)...
-- Lidiya White
51 matches
Mail list logo